> On Nov. 16, 2015, 9:29 p.m., Sravya Tirukkovalur wrote: > > sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java, > > line 314 > > <https://reviews.apache.org/r/40316/diff/2/?file=1125743#file1125743line314> > > > > Looks like this can cause overhead for all commands. Looking at how we > > can restrict these for only queries which have a TOK_FUNCTION. > > Ryan Pridgeon wrote: > Yeah I tryed to accomplish it this way at first. The problem is > TOK_FUNCTION will never be a root level ASTNode. It will always be the child > of some on other Token. The problem is we will have to ensure that we call > this for any and all operations which could hide a function as one of it's > children. I thought about doing catching TOK_SELECT but I haven't confirmed > that this won't also be nested in the event of something like a CTAS. > > Select max(a) from test; > > TOK_QUERY > TOK_FROM > TOK_TABREF > TOK_TABNAME > test > TOK_INSERT > TOK_DESTINATION > TOK_DIR > TOK_TMP_FILE > TOK_SELECT > TOK_SELEXPR > TOK_FUNCTION > max > TOK_TABLE_OR_COL > a > > Create table as select max(a) from test; > > TOK_CREATETABLE > TOK_TABNAME > test3 > TOK_LIKETABLE > TOK_QUERY > TOK_FROM > TOK_TABREF > TOK_TABNAME > test > TOK_INSERT > TOK_DESTINATION > TOK_DIR > TOK_TMP_FILE > TOK_SELECT > TOK_SELEXPR > TOK_FUNCTION > max > TOK_TABL > > We would have to try and account for any possible operation in which a > function could be called. > > Ryan Pridgeon wrote: > Sorry didn't mean to resolve that. Just reopened it
I just verified using "hive.server2.builtin.udf.blacklist" = "reflect,reflect2,java_method" solves the problem and we can make sure these are blocked from sentry by calling FunctionRegistry.setupPermissionsForBuiltinUDFs by appending to the existing blacklist. - Sravya ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/40316/#review106704 ----------------------------------------------------------- On Nov. 14, 2015, 7:55 p.m., Ryan Pridgeon wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/40316/ > ----------------------------------------------------------- > > (Updated Nov. 14, 2015, 7:55 p.m.) > > > Review request for sentry. > > > Repository: sentry > > > Description > ------- > > SENTRY-960: Bring whitelist validation back > > > Diffs > ----- > > > sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java > 18b8a8f > > sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestEndToEnd.java > 23577c2 > > Diff: https://reviews.apache.org/r/40316/diff/ > > > Testing > ------- > > Ran the code in a live cluster to confirm it works > > Added unit test. > > > Thanks, > > Ryan Pridgeon > >
